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Description 

BACKGROUND OF THE INVENTION 

1 . Field of the Invention s 

[0001] The present invention relates to an access 
point device and an authentication method thereof. 
More particularly, the invention relates to an access 
point device and its authentication method which avoid 
unauthorized access from mobile stations of malicious 
intruders in a radio-based, wireless LAN system. 

2. Description of the Prior Art 

[0002] In recent years, the explosive prevalence of 
the Internet has been increasing the cases of construct- 
ing LANs (Local Area Networks) in office, home, and the 
like. In view of advanced digital radio communication 
technologies, the needs for LANs constructed by radio, 
or so-called wireless LANs, have been growing greatly 
due to the inconvenience of cable wiring. Furthermore, 
the availability of the wireless LANs with mobile temrii- 
nals, typified by notebook PCs, In a mobile environment 
also contributes to numbers of prevalence expected In 
the future. Among existing typical technologies for wire- 
less LANs is IEEE 802.11 which is standardized by IEEE 
(Institute of Electrical and Electronics Engineers). This 
standardized technology provides definitions from a 
physical layer to a datalink lower sublayer, or a MAC 
(Media Access Control) layer, in the OSI model. It in- 
cludes specifications that allow a substitution of the Eth- 
ernet, or wired LAN transmission channels, and also 
provide a roaming function as a wireless-related addi- 
tional function. 

[0003] Now, when a LAN is constructed by the wired 
Ethernet or the like, establishing connection with the 
LAN involves physical connection of cables to a hub and 
the like. This means a very high security level at the da- 
talink level. That Is, even if intruders make an unauthor- 
ized intrusion into an office or the like in order to connect 
their temiinals to the network, they need to conduct the 
physical operation of connecting cables, which is ex- 
tremely difficult to achieve In secrecy due to typical LAN 
arrangements (of relatively small to medium LANs, in 
particular). The reason is that in most cases, the LAN 
users and the hubs, routers, and the like that constitute 
the LAN are in the same room. On the other hand, in a 
wireless LAN system, the above-mentioned operation 
of connecting Ethemet or other cables is replaced with 
an automatic association procedure. In the above-de- 
scribed existing IEEE-802.11 systems and the like, this 
association procedure is a procedure in which mobile 
terminals get recognized of their existence by access 
points which are connected to a wired backbone net- 
work or the like. Then, the completion of this procedure 
enables data communication. In this procedure, a mo- 
bile terminal lying in a finite area covered by an access 



point pertorms, in advance of the association, an option- 
al authentication procedure with respect to the access 
point so as to ensure security at the datalink level. 
[0004] According to this association procedure, the 
mobile station issues an association request to the ac- 
cess point, with a service set identifier (SSID) added to 
the association request message. The access point re- 
ceiving this message identifies the mobile station by the 
above-mentioned SSID, and determines whether or not 
to authorize the association In accordance with a pre- 
detemiined association authorization rule. If authorizes, 
the access point sends an association-authorizing re- 
sponse message to the mobile station. If rejects, it sends 
an association-rejecting response message. Therefore, 
this association procedure by itself cannot prevent those 
who try to Intrude into the network with evil intent from 
establishing association easily once they acquire the 
SSID. In order to prevent this and pertorm the associa- 
tion procedure as well, the option of executing an au- 
thentication procedure Is provided. That is, according to 
the system provided with the option of executing an au- 
thentication procedure, the mobile temninal, unless it 
completes the authentication procedure, cannot estab- 
lish the association to start data communication. This 
consequently provides an effective function to avoid un- 
authorized association from malicious mobile terminals 
in the above-mentioned finite area, the unauthorized as- 
sociation requiring no physical connecting operations. 
[0005] In IEEE 802.11 , this authentication procedure 
Is defined as the Shared Key Authentication procedure. 
Now, this procedure will be described with reference to 
Figs. 5 and 6. 

[QOOG] Rg. 5 is a diagram showing the general con- 
figuration of a conventional wireless LAN system. Fig. 
6 is a diagram showing the control sequences of con- 
ventional authentication and association procedures. 
[0007] In Fig. 5, the reference numeral 1 represents 
a wireless area network, 2 an access point AP, 3 a mo- 
bile station MT1 , 4 a mobile station MT2, 5 a mobile sta- 
tion MT3, 6 a mobile station MT4, and 7 networks other 
than the wireless area network 1 . 
[0008] The wireless area network 1 includes the ac- 
cess point AP 2 and the mobile stations MT1 , MT2, MT3, 
and MT4. The access point AP 2 is connected to the 
other networks 7 which are realized by wired transmis- 
sion channels. The mobile stations MT1-MT4 lie In the 
finite area covered by the access point AP 2. Fig, 6 
shows the sequences for situations where, in the wire- 
less area network 1 , a mobile station (for example, MT1 ) 
is turned on or othenMse operated to initiate the pre- 
association authentication procedure with respect to the 
access point AP 2. 

[0009] Initially, the mobile station MT1 sends to the 
access point AP 2 an authentication request message 
1 for initiating the authentication procedure by the 
Shared Key Authentication method. Receiving this mes- 
sage at AP authentication processing 8 (AP authentica- 
tion processing "1"), the AP 2 makes a numerical oper- 
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atlon In acx;ordance with the WEP (Wired Equivalent Pri- 
vacy)-PRNG (Pseudorandom Number Generator) algo- 
rithm by using the Initialization Vector and Secret Key 
values, which can be detemiined arbitrarily on each ex- 
ecution of this authentication procedure, as the param- 5 
eters. The access point AP 2 thereby calculates a 
128-octet uniquely-determined Challenge Text value, 
and sends an authentication response message 1 in- 
cluding this value to the mobile station MT1 . 
[0010] Next, receiving this authentication response 
message 1 at MT authentication processing 9, the mo- 
bile station MT1 ciphers the Challenge Text value includ- 
ed therein, in accordance with the WEP cipher algorithm 
by using the Shared Secret Data and Initialization Vector 
as the parameters. The result and the aforementioned 
Initialization Vector are included into an authentication 
request message 2, which Is returned to the access 
point AP 2. 

[0011] Then, receiving this authentication request 
message 2 at AP authentication processing 1 0 (AP au- 
thentication processing "2"), the access point AP 2 de- 
codes the ciphered Challenge Text value received, 
based on the Initialization Vector received concurrently 
and the aforementioned Shared Secret Data known in 
advance. The resulting value is compared with the orig- 
inal Challenge Text value described above. If identical, 
the authentication is authorized. If not, the authentica- 
tion is rejected. The result of this is returned as an au- 
thentication response message 2 to the mobile station 
MT1. Then, if the result is of authorization, the mobile 
station MT1 receiving this authentication response mes- 
sage 2 can enter the subsequent association procedure. 
In the cases of rejection, the association procedure can- 
not be perfomried due to the failed authentication. 
[0012] The association processing here is the same 
as described above. More specifically, the access point 
AP 2 receiving the SSID (Service Set Identifier) in the 
association request message from the mobile station 
MT1 identifies the mobile station by that SSID, and de- 
temrtlnes whether or not to authorize the association. If 
authorizes, the access point AP 2 sends to the mobile 
station MT1 an association response message for au- 
thorizing the association. If rejects, an association re- 
sponse message for rejecting the association is sent. 
Incidentally, this WEP algorithm is defined by the RC4 
technology from RSA Data Security Inc. 
[0013] In short, according to this authentication meth- 
od, the access point and the mobile stations are previ- 
ously provided with the same secret key, or Shared Se- 
cret Key, to realize the mechanism for the access point 
to grant authentication/association to particular mobile 
stations. Here, the mobile stations implement the 
Shared Secret Key in a form unreadable to general us- 
ers, so as to avoid a theft (read) by malicious intruders. 
Meanwhile, since the Key itself is not transmitted over 
the radio transmission channels, interception is preclud- 
ed to ensure a certain degree of security level. 
[0014] Such an authentication method for a conven- 



tional access point device retains security on the as- 
sumption that the algorithms for authentication and the 
keys for the authentication would never be stolen by 
those who try to intrude into the network with evil intent. 
This assumption, however, is not 100% secured. That 
is, there is no guarantee that complete duplications of 
authentic terminals would never be made on the access 
point by authorized procedures. Moreover, there is an 
undeniable possibility that the keys stored in user-Inac- 
cessible memories might be readout in an unauthorized 
way by using special equipment. Therefore, if those who 
maliciously try to intrude into the networic through such 
unauthorized activities successfully establish unauthor- 
ized association of their terminals, then they can Intrude 
into the networi< while remaining hidden physically in the 
area covered by the access point, without any physical 
operations such as wired cable connection. In other 
words, there has been a problem that when a wireless 
network Is constructed within a closed space (office or 
home), the area covered by the central access point is 
susceptible to the association from terminals of those 
who try to intrude into the network with evil intent, which 
lie outside of the closed section, namely, in blind spots 
beyond walls or the like. 

SUMMARY OF THE INVENTION 

[0015] The present invention has been achieved in 
view of such a problem. It is thus an object of the present 
invention to provide an access point device and its au- 
thentication method which can dramatically improve a 
wireless LAN system in security level. 
[0016] An access point device according to the 
present invention is an access point device having an 
interface function with a network constructed of wired 
transmission channels and establishing datalink con- 
nection with a plurality of mobile stations within the area 
of a radio LAN. This access point device includes: noti- 
fication means for notifying a network administrator ad- 
ministering the LAN of the presence of an authentica- 
tion-requesting mobile station so as to gain the final au- 
thorization of an authentication procedure when a mo- 
bile station in the area perfomri the authentication pro- 
cedure before the initiation of an association procedure; 
and Input means from which the network administrator 
notified inputs an authentication-authorizing or -reject- 
ing instruction with respect to the authentication-re- 
questing mobile station. 

[0017] An authentication method for an access point 
device according to the present invention is an authen- 
tication method for an access point device having an in- 
terface function with a network constructed of wired 
transmission channels and establishing datalink con- 
nection with a plurality of mobile stations within the area 
of a radio LAN. This authentication method initiates an 
association procedure after authentication is completed 
of the mobile stations by performing: a first step in which 
the mobile stations and the access point device Initiate 
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a predetermined authentication procedure in response 
to an authentication request from the mobile stations to 
the access point device; a second step in which the ac- 
cess point device, in authorizing the authentication of 
the mobile stations by the authentication procedure, no- 5 
tifies a network administrator administering the LAN of 
the final authorization of the authentication procedure 
and starts an authentication wart timer before the access 
point device returns an authentication response mes- 
sage, or the final message in the authentication proce- 
dure, to the mobile stations, the authentication wait timer 
being set at a maximum wait time up to the final authen- 
tication; a third step In which the network administrator 
provides a final authentication-authorizing or - rejecting 
instruction to the access point device before the timeout 
of the authentication wait timer; a fourth step in which 
the access point device, when the network administrator 
provides a final authentication-authorizing instruction 
before the timeout of the authentication wait timer, re- 
turns the authentication response message to the mo- 
bile stations as authentication authorization; and a fifth 
step in which the mobile stations receiving the authen- 
tication response message start the association proce- 
dure. 

[0018] In the third step, the authentication response 
message may be returned to the mobile stations as au- 
thentication rejection when the network administrator 
provides the authentication-rejecting instruction to the 
access point device. 

[0019] Besides, in the third step, the authentication re- 
sponse message may be returned to the mobile stations 
as authentication rejection when the authentication wait 
timer goes time-out before the network administrator 
provides the authentication-rejecting or -authorizing in- 
struction to the access point device. 
[0020] IVIoreover, in a preferred concrete mode, the 
authentication procedure may be the Shared Key Au- 
thentication procedure defined in IEEE 802.11 . 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0021] 

Fig. 1 is a diagram showing the general configura- 
tion of an access point device according to an em- 
bodiment of the present invention; 
Fig. 2 is a diagram showing the control sequence 
of the authentication procedure for situations where 
the access point device of the present embodiment 
authorizes authentication; 

Fig. 3 is a diagram showing the control sequence 
of the authentication procedure for situations where 
the access point device of the present embodiment 
rejects authentication or goes time-out; 
Fig. 4 is a flowchart showing the access point au- 
thentication processing by the access point device 
of the present embodiment; 
Fig. 5 is a diagram showing the general configura- 



tion of a conventional wireless LAN system; and 
Fig. 6 is a diagram showing the control sequences 
of the authentication and association procedures in 
the conventional wireless LAN system. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

[0022] Hereinafter, a preferred embodiment of the ac- 
cess point device and its authentication method accord- 
ing to the present invention will be described in detail 
with reference to the accompanying drawings. 
[0023] Rg. 1 is a diagram showing the general con- 
figuration of the access point device according to the 
embodiment of the present invention. 
[0024] The access point device 1 8 in the present em- 
bodiment is installed in place of the access point AP 2 
in Fig. 5 described above. More specifically, in Fig. 5 
described above, the wireless area network 1 includes 
the access point AP 2 connected to the other networks 
7 realized by wired transmission channels, and the mo- 
bile stations MT1 , MT2, MT3, and MT4 lying in the finite 
area covered by the AP 2. In the wireless area network 
1 , the access point AP 2 is replaced with the access 
point device 18 shown in Fig. 1 . 
[0025] In Fig. 1, the access point device 18 includes 
radio communication processing means 12, an antenna 
19, network interface means 14, authentication/associ- 
ation processing means 13, authentication request dis- 
play means 16 (notification means), and authentication 
Input means 15 (input means) so as to realize the radio 
connection with the plurality of mobile stations IVITI , 
MT2, l\^T3, and MT4. The radio communication 
processing means 12 consist of a radio modulation and 
demodulation unit, a baseband signal processing unit, 
and a datalink control unit. The antenna 1 9 is intended 
for radio transmission and reception, and is connected 
to the radio communication processing means 12. The 
network Interface means 14 establish datalink connec- 
tion with the other networi<s 7 through an arbitrary wired 
transmission channel 17, and realize the function of in- 
terfacing the data to be transmitted and received by the 
radio communication processing means 12. The au- 
thentication/association processing means 13 realize 
the function of performing the association and authen- 
tication procedures for the radio communication 
processing means 12 to establish the datalink with the 
plurality of mobile stations. The authentication/associa- 
tion processing means 1 3 also realize the function of 
communbating control messages with the radio com- 
munication processing means 12, the control messages 
to be exchanged with the mobile stations MT1, MT2, 
MT3, and MT4. The authentication request display 
means 16 provide notifbation to a user who administers 
the wireless area network 1 , before the authentication/ 
association processing means 13 performing the au- 
thentication processing finally grant authorization and 
send an authentication-authorizing message to a mobile 



IS 



20 



25 



30 



35 



40 



45 



50 



4 



7 



EP 1 161 031 A2 



8 



station to be authorized of authentication. The authen- 
tication request display means 16 thereby realize the 
function of notifying the user of the presence of an au- 
thorization-requesting mobile station, through a display 
device, a loudspeaker, orthe like. The authentication in- 
put means 1 5 realize the function of accepting button or 
other physical human inputs so as to notify the authen- 
tication/association processing means 13 whether or 
not the user who administers the wireless area network 
1 grants authorization or rejection after the presence of 
the authentication-requesting mobile station is notified 
by the authentication request display means 16. 
[0026] {Hereinafter, the operations of the authentica- 
tion method for the access point device configured as 
described above will be described. 
[0027] Here, description will be given of the sequenc- 
es for the case where a mobile station is turned on or 
otherwise operated to perform the authentication and 
association procedures so that the datalink connection 
with the access point device 18 is established, and for 
the case where the authentication is rejected. 
[0028] Assume here that the mobile station MT1 in 
Fig. 5 described above is the mobile station to perfomi 
the authentication processing, and the mobile stations 
MT2, IVIT3, and MT4 have already completed the asso- 
ciation with the access point device 18 for established 
datalink. 

[0029] Initially, referring to Figs. 2 and 4, description 
will be given of the case where the mobile station MT1 
periomns the authentication procedure and the network- 
administering user authorizes the authentication, fol- 
lowed by the association procedure to establish datalink 
with the access point device 1 8. 
[0030] Fig. 2 is a diagram showing the control se- 
quence of the authentication procedure in the case of 
authorized authentication. 

[0031] The mobile station MT1 is turned on or other- 
wise operated to send to the access point device 18 an 
authentication request message 1 for Initiating the au- 
thentication procedure by the Shared Key Authentrca- 
tion method. 

[0032] In the access point device 1 8, the authentica- 
tion/association processing means 13 receive this mes- 
sage through the radio communication processing 
means 12. At AP authentication processing 1 (see the 
numeral 20 in Fig. 2), the authentication/association 
processing means 13 make a numerical operation in ac- 
cordance with the WEP (Wired Equivalent Privacy)- 
PRNG (Pseudorandom Number Generator) algorithm 
by using the Initialization Vector and Secret Key values 
as the parameters. Here, the Initialization Vector and 
Secret Key values can be arbitrarily determined on each 
execution of this authentication procedure. The authen- 
tication/association processing means 13 thereby ob- 
tain a 128-octet uniquely-determined Challenge Text 
value, and send an authentication response message 1 
including this value to the mobile station l\^T1 through 
the radio communication processing means 12. 



[0033] Next, at i\^T authentication processing 21 , the 
mobile station MT1 receiving this authentication re- 
sponse message 1 ciphers the included Challenge Text 
value in accordance with the WEP cipher algorithm by 

5 using the Shared Secret Data and initialization Vector 
as the parameters. The resulting value and the Initiali- 
zation Vector are included into an authentication request 
message 2, which is returned to the access point device 
18. ly^oreover, in the access point device 18, the authen- 

10 ticatlon/association processing means 13 receive this 
message through the radio communication processing 
means 12. At AP authentication processing 2(see the 
numeral 22 in Fig. 2), the authentication/association 
processing means 1 3 decoded the received ciphered 

IS Challenge Text value based on the Initialization Vector 
which Is received concun^ently and the Shared Secret 
Data which is known in advance. The result is compared 
with the original Challenge Text value stated before, and 
if identical, the authentication/association processing 

20 means 1 3 execute the procedure of AP authentication 
processing 3 (see the numeral 23 In Fig. 2). The steps 
S30-33 in the flow of Fig. 4 show this procedure. 
[0034] Fig. 4 is a flowchart showing the access point 
authentication processing described above. 

25 [0035] in this procedure, the authentteation/associa- 
tion processing means 13 in the access point device 18 
initially notify the authentication request display means 
16 of authentication wait (step S30). At the same time, 
the authentication/association processing means 13 

30 start an authentication wait timer set at an art3itrary time 
(step 31), entering a wait for authentication input (step 
S32). IVIeanwhile, the authentication request display 
means 1 6 Informed of the authentication wait Immedi- 
ately notify the network-administering user of the pres- 

35 ence of an authentication-requesting mobile station, 
through a display device, a loudspeaker, orthe like. 
[0036] Here, the authentk^ation/association process- 
ing means 13, if receive a notification from the authen- 
tication Input means 15 of an authentication-authorizing 

^0 input made by the network-administering user inputting 
an authentication authorization before the timeout of the 
authentication wait timer, send an authentication re- 
sponse message 2 indicating the authorized authenti- 
cation to the mobile station t\AJ^ through the radio com- 

45 munication processing means 12 (step S33). 

[0037] Returning to Fig. 2, the mobile station MT1 
having received this authentication response message 
2, since the result is of authorization, enters the subse- 
quent association procedure to send an association re- 

50 quest message to the access point device 1 8. 

[0038] Here, in the access point device 18, the au- 
thentication/association processing means 13 receive 
this message through the radio communication 
processing means 1 2. Then, at the association process- 
es ing (see the numeral 24 in Fig. 2), the authentication/ 
association processing means 13 identify the mobile 
station MT1 by the SSID (Service Set Identifier) in the 
association request message, and detemiine whether 
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or not to authorize the association in accordance with a 
predetermined association authorization rule. If author- 
ize, the authentication/association processing means 
13 send an association response message that indi- 
cates the authorized association to the mobile station 5 
MT1 through the radio communication processing 
means 12. Reception of this association response mes- 
sage by the mobile station l\^T1 establishes the datalink 
between the mobile station MT1 and the access point 
device IB, allowing data communication thereafter. 
[0039] Next, refemng to Figs. 3 and 4, description will 
be given of the case where authentication is rejected of 
the mobile terminal MT1 by the network-administering 
user in the authentbation procedure, and the case 
where the authentication wait timer goes time-out to re- 
ject the authentication automatically. 
[0040] Fig. 3 is a diagram showing the control se- 
quence of the authentication procedure for rejected au- 
thenticationAimeout. 

[0041] In Fig. 3, the mobile station MT1 is turned on 
or othen/vise operated to send to the access point device 
1 8 an authentication request message 1 for initiating the 
authentication procedure by the Shared Key Authenti- 
cation method. 

[0042] In the access point device 1 8, the authentica- 
tion/association processing means 13 receive this mes- 
sage through the radio communication processing 
means 12. Then, at the AP authentication processing 1 
(see the numeral 25 in Fig. 3), the authentication/asso- 
ciation processing means 13 perfomis a numerical op- 
eration in accordance with the WEP (Wired Equivalent 
Privacy)-PRNG (Pseudorandom NumberGenerator) al- 
gorithm by using the Initialization Vector and Secret Key 
values, which can be arbitrarily determined upon each 
execution of this authentication procedure, as the pa- 
rameters. The authentication/association processing 
means 13 thereby calculate a 128-octet uniquely-deter- 
mined Challenge Text value, and send the authentica- 
tion response message 1 including this value to the mo- 
bile station IVIT1 through the radio communication 
processing means 12. 

[0043] Then, at the MT authentication processing 
(see the numeral 26 in Fig. 3), the mobile station MT1 
receives this authentication response message 1 , and 
ciphers the Challenge Text value included therein in ac- 
cordance with the WEP cipher algorithm, with the 
Shared Secret Data and Initialization Vector as the pa- 
rameters. The resulting value and the Initialization Vec- 
tor are included into an authentication request message 
2, which is returned to the access point device 18. Be- 
sides, In the access point device 18, the authentication/ 
association processing means 1 3 receive this message 
through the radio communication processing means 1 2. 
At the AP authentication processing 2 (see the numeral 
27 in Fig. 3), the authentication/association processing 
means 1 3 decode the ciphered Challenge Text value re- 
ceived, based on the Initialization Vector received con- 
currently and the Shared Secret Data known In ad- 



vance. The result is compared with the original Chal- 
lenge Text value stated before, and If identical, the au- 
thentication/association processing means 13 execute 
the procedure of the AP authentrcation processing 3 
(see the numeral 28 in Fig. 3). This procedure is shown 
as the steps S30-S32, and S34 of the flow In Fig. 4. 
[0044] In this procedure, the authentteatlon/associa- 
tion processing means 13 in the access point devtee 18 
initially notify the authentication request display means 
16 of an authentication wait (step S30). At the same 
time, the authentk:ation/association processing means 
13 start the authentication wait timer set at an arbitrary 
time (step 831 ), entering a wait for authentication input 
(step 32). l\/leanwhile, the authentication request display 
means 16 Infonmed of the authentication wait immedi- 
ately notify the network-administering user of the pres- 
ence of an authentication-requesting mobile station, 
through a display device, a loudspeaker, or the like. 
[0045] Here, the authentbation/association process- 
ing means 13, if receive a notification from the authen- 
tication input means 1 5 of an authentication- rejecting In- 
put made by the network-administering user inputting 
an authentication rejection before the timeout of the au- 
thentication wait timer, send an authentication response 
message 2 that indicates the authentication rejection to 
the mobile station MT1 through the radio communica- 
tion processing means 12 (step S34). Similariy, when 
the authentteatlon wait timer goes time-out during the 
authentication Input wait (step S32), the authentication/ 
association processing means 13 send the authentica- 
tion response message 2 that indicates the authentica- 
tion rejection to the mobile station MT1 through the radio 
communication processing means 12 (step 34). 
[0046] Retuming to Fig. 3, the mobile station MT1 
having received this authentication response message 
2 cannot enter the subsequent association procedure 
since the result is of rejection. If necessary, the mobile 
station MT1 notifies its user of the failed authentication 
(see the numeral 29 in Fig. 3). Thus, in this case, the 
mobile station MT1 is Incapable of data communication. 
[0047] Incidentally, the WEP algorithm mentioned 
here is defined in the RC4 technology by RSA Data Se- 
curity Inc. Besides, the association processing (see the 
numeral 24 in Fig. 2) Is Identical to the association pro- 
cedure defined in IEEE 802.11. 
[0048] Moreover, the ariDitrary time set the authenti- 
cation wait timer Is set at can be artDitrarily determined 
by the network-administering user, as a value appropri- 
ate In terms of the time that is required from the network- 
administering user recognizing the presence of an au- 
thentication-requesting mobile station through the au- 
thentication request display means to the user Inputting 
an authorization through the authentication Input means 
to authorize the mobile station. 
[0049] As has been described above, in the present 
embodiment, the access point device 1 8 includes the 
authentication request display means 16 and the au- 
thentication input means 15. When a mobile station in 
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the area performs the authentication procedure before 
the initiation of the association procedure, the authenti- 
cation request display means 16 make a notification of 
the authentication-requesting mobile station in the area 
so that the access point device 18 obtains the final au- 
thorization of the authentication procedure from the 
LAN-administering user. The networic administrator no- 
tified provides an authentication-authorizing or -reject- 
ing instruction to the authentication-requesting mobile 
station through the authentication input means 1 5. In the 
pre-association authentication procedure of a mobile 
station on a wireless l^N system which is physically In- 
visible and therefore subject to attacks from network in- 
truders with evil intent, the access point device 1 8 allows 
the network-administering user to see who is making the 
association before granting authorization, instead of the 
automata authorization by the access point. This means 
a significant improvement in security level. 
[0050] Moreover, in a wireless LAN system that im- 
plements the Shared Key Authentication procedures 
defined as an option in IEEE 802.11 , this authentication 
procedure can be put into operation with the additional 
implementation of the access point device alone. No 
modification is required of the mobile station devices. 
[0051] As has been described in detail, according to 
the present invention, a wireless LAN system can be 
dramatically improved in security level while mobile sta- 
tion devices can be implemented without any modifba- 
tlons. 



Claims 

1 . An access point device having an interface function 
with a networic constructed of wired transmission 
channels and establishing datalink connection with 
a plurality of mobile stations within the area of a ra- 
dio LAN, the device comprising: 

notification means for notifying a network ad- 
ministrator administering said l^N of the pres- 
ence of an authentication-requesting mobile 
station so as to gain the final authorization of 
an authentication procedure when a mobile sta- 
tion in the area perform said authentication pro- 
cedure before the initiation of an association 
procedure; and 

input means from which said network adminis- 
trator notified inputs an authentication-author- 
izing or -rejecting instruction with respect to 
said authentication-requesting mobile station. 

2. An authentication method for an access point de- 
vice having an interface function with a network 
constructed of wired transmission channels and es- 
tablishing datalink connection with a plurality of mo- 
bile stations within the area of a radio LAN, the 
method initiating an association procedure after au- 



thentication is completed of said mobile stations by 
performing: 

a first step in which said mobile stations and 

5 said access point device initiate a predeter- 

mined authentication procedure in response to 
an authentication request from said mobile sta- 
tions to said access point device; 
a second step in which said access point de- 

10 vice, in authorizing the authentication of said 

mobile stations by said authentication proce- 
dure, notifies a network administrator adminis- 
tering said LAN of the final authorization of said 
authentication procedure and starts an authen- 

is tication wait timer before said access point de- 

vice returns an authentication response mes- 
sage, or the final message In said authentica- 
tion procedure, to said mobile stations, said au- 
thentication wait timer being set at a maximum 

20 wait time up to the final authentication; 

a third step in which said network administrator 
provides a final authentication-authorizing or 
-rejecting instruction to said access point de- 
vice before the timeout of said authentication 

25 wait timer; 

a fourth step in which said access point device, 
when said network administrator provides a fi- 
nal authentication-authorizing instruction be- 
fore the timeout of said authentication wait tlm- 

30 er, retums said authentcation response mes- 

sage to said mobile stations as authentication 
authorization; and 

a fifth step in which said mobile stations receiv- 
ing said authentication response message start 
35 said association procedure. 

3. The authentication method for an access point de- 
vice according to claim 2, wherein in the third step, 
said authentication response message is returned 
40 to said mobile stations as authentication rejection 
when said network administrator provides the au- 
thentication-rejecting instruction to said access 
point device. 

"^5 4. The authentication method for an access point de- 
vice according to claim 2, wherein in the third step, 
said authentication response message is returned 
to said mobile stations as authentication rejection 
when said authentication wait timer goes time-out 

50 before said network administrator provides the au- 
thentication-rejecting or -authorizing instruction to 
said access point device. 

5. The authentication method for an access point de- 
55 vice according to any one of claims 2-4, wherein 
said authentication procedure is the Shared Key 
Authentication procedure defined In IEEE 802.11 . 
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